By Erica Daniels,2014-07-26 11:48
7 views 0

    Rights Management Add-on for Microsoft Internet Explorer

Introducing Rights-Managed HTML

    Microsoft Corporation

    Published: September 2003


    In today’s digital world, there is an increasing risk of information leaks. Loss of confidential information is causing significant damage to organizations. With the pervasiveness of the Internet and e-mail as common communication tools, coupled with the drive to reduce costs by reducing paper, most organizations extensively use and forward information digitally. This practice increases the risk of confidential information accidentally or intentionally getting into the wrong hands. The potential loss of revenue, competitive advantage, and customer confidence caused by information leaks can be costly to an organization.

    This paper provides an overview of how an organization can better protect sensitive information by using Microsoft? Windows? rights management technologies. Specifically, this paper explains the Rights Management Add-on (RMA) for Internet Explorer, the .rmh (RMH) file format, and the Rights-Managed HTML (RMH) software development kit (SDK).

    ??Microsoft Windows Server 2003 White Paper

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    ? 2003 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MSDN, the Office logo, Visual Studio, Windows, the Windows logo, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA

    Introducing Rights-Managed HTML 2

    ??Microsoft Windows Server 2003 White Paper


    Safeguarding Sensitive Information ......................................................4 How RMH Works ......................................................................................6 Usage Scenarios ......................................................................................8 Sharing Rights-Protected Office 2003 Files 8 Internal Legacy Web Applications 9 External Web Applications 10 Protecting Proprietary Document Formats 11 Understanding the RMH File Format .................................................. 13 Getting Started ...................................................................................... 14 Summary ............................................................................................... 15

    Introducing Rights-Managed HTML 3

    ??Microsoft Windows Server 2003 White Paper

Safeguarding Sensitive Information

    To safeguard sensitive information such as customer data, financial reports, product

    specifications, and confidential e-mail messages, organizations are looking to augment their

    security strategy. Microsoft has heard from customers that they need new ways to help safeguard

    sensitive information. As a result, Microsoft developed a set of rights management technologies for the Microsoft? Windows? platform to help customers safeguard their sensitive information. This technology combines Windows features, developer tools, and proven security

    technologiesincluding encryption, certificates, and authenticationto help create reliable

    information protection solutions.

    Unlike perimeter-based (firewalls, access control lists, and repositories) or transport-based (encrypted delivery) security technologies, Microsoft’s rights management technology continues to help protect information during and after it has been accessed or delivered to an authenticated

    individual, helping to prevent sensitive information from intentionally or accidentally getting into the wrong hands.

    The Rights Management Add-on (RMA) for Internet Explorer allows Windows users to view files with restricted permission in a Web browser. These restricted permissions (or rights), which define what the recipient can do with the information, are specified by the author and enforced by the software used to view the information. By installing RMA, Internet Explorer will enforce the rights assigned to any rights-managed HTML (RMH) file.

    RMH is a new file format that provides information protection for any information that a Windows application can export to HTML. The recipient can then view the rights-protected information by installing the readily available Internet Explorer with the RMA and the Windows rights management client software. These components are available via a free download.

    Since Microsoft Office documents can be saved as HTML, Office documents can be distributed as rights-protected HTML. In fact, Microsoft Office 2003 can embed RMH into all standard rights-protected documents. This allows any user with RMA installed to view any rights-protected Office document.

    As Figure 1 shows, RMA displays HTML content in Internet Explorer just as Internet Explorer would display any other file, but gives the author of the information greater control over how the recipient can use the information. The author can allow the recipients to view the file, but not allow them to copy its contents to the clipboard, print the file, or save it to their local hard drive. If an organization has been distributing confidential documents on paper to avoid those documents being accidentally redistributed, using rights-managed HTML can save a great deal of time and money.

    Introducing Rights-Managed HTML 4

    ??Microsoft Windows Server 2003 White Paper

Figure 1. The author controls what a user can and cannot do with a document.

    With the RMH software development kit (SDK), developers can rights-protect any document, as

    long as it can be converted to HTML. If an organization has a custom application that generates

    and distributes reports as HTML, its developers can use the RMH SDK to extend the custom

    application and add protection to those reports.

    If a developer builds software for external customers, those customers can also benefit from RHM.

    If the customer uses that application to create sensitive information, the developer can offer that

    customer a dramatically improved level of protection by providing a Save As option to output

    RMH files. Even if the application requires a proprietary file format, the developer can use the

    RMH SDK to create rights-protected documents that contain the proprietary format.

    Any trusted application, including Internet Explorer with RMA, must communicate with a Microsoft

    Windows Rights Management Services (RMS) server running on Windows Server? 2003 to

    retrieve authorization to open a rights-protected file. If the developer builds software for internal

    customers, that organization must also deploy an RMS server internally to enable clients to

    access rights-protected information. If a developer builds software for external customers, those

    customers must also deploy an RMS server, or be trusted into the originating organization’s RMS


    Introducing Rights-Managed HTML 5

    ??Microsoft Windows Server 2003 White Paper

How RMH Works

    The process of creating rights-protected information by using RMH starts when a user or application creates an RMH file and specifies the users who are allowed to open the file, as well as the actions those users are allowed to take with the file, which is stored in a Publishing License. After the RMH file is created, the publishing application and the rights management client create a key to be used for encrypting and decrypting the content, along with an unsigned Publishing License.

    The publishing application then uses Single Object Access Protocol (SOAP) Web services over HTTP or HTTPS to connect to a server to submit the unsigned Publishing License. This server is a Windows Server 2003 system running RMS. RMS then signs and returns the Publishing License. The publishing application attaches the Publishing License to the rights-managed file. The publishing application will then encrypt the contents, which ensures the author can distribute the file with greater confidence that unauthorized users will not be able to view the contents. The file can be e-mailed, distributed through a Web site, or transferred on physical media. Any method of distributing the file is equally secure because the file itself is encrypted. When a user wants to view the contents of a rights-protected file, Windows opens the application associated with that file type. In the case of files saved in the RMH format, Windows launches Internet Explorer with RMA. If the rights-protected file was created by another application and has a different file extension, Windows launches the associated application (e.g., Microsoft Office 2003).

    The rights management client then extracts the name of the RMS server authorized to issue licenses for the content from the Publishing License attached to the document. The rights management client then submits a request containing the Publishing License and the user’s

    rights management account certificate, a credential issued to the user by the RMS server. The RMS server may be located on the public Internet or a private network; however, the client application must be RMS-enabled and able to submit a Web services request to the RMS server. Fortunately, most firewalls and proxy servers allow this type of request. Figure 2 shows Internet Explorer with RMA communicating with the RMS server.

Figure 2. Users must be validated by the RMS server to decrypt rights-protected information.

    RMS will validate the user’s credentials, the application, and the computer. After examining the Publishing License, RMS authorizes the user to perform the approved actions. RMS also verifies that the client application is trusted to enforce the limited privileges granted to the user. If the user is authorized to view the encrypted content, and the requesting application is trusted, RMS

    Introducing Rights-Managed HTML 6

    ??Microsoft Windows Server 2003 White Paper

returns the Use License and decryption key to the client application. The client application is then

    able to decrypt the file and allow the user to view, copy, or print the contents based on the

    assigned privileges. The client application will securely store a copy of the Use License. After the

    document has been opened once, the user will not need to connect to RMS again unless the

    author specifically requires it.

    Introducing Rights-Managed HTML 7

    ??Microsoft Windows Server 2003 White Paper

Usage Scenarios

    RMH is a very flexible technology that can be used out-of-the-box or integrated into complex software. Office 2003 and RMA are the first tools to utilize the RMH SDK to allow developers to take advantage of RMH with absolutely no development effort. The RMH SDK in the hands of a skilled developer offers unlimited possibilities for securely distributing content to a wide audience. The sections that follow discuss some ways that developers can use RMH in different environments.

    Sharing Rights-Protected Office 2003 Files

    Information Rights Management (IRM) is a new feature in Office 2003, but organizations do not need to wait for everyone to upgrade to take advantage of it. Just as information workers can save a Microsoft Word file as a Web page to allow users without Office installed to view it, users without Office can view rights-protected information created in Office 2003 using Internet Explorer with RMA.

    If certain groups within an organization have a need to safeguard sensitive information from unauthorized use, that organization can now give its users the opportunity to create rights-protected information that can be viewed only by authorized recipients. The recipients will need RMS-enabled software, such as Internet Explorer with RMA to view the information. Internet Explorer with RMA cannot be used to edit documents, even if the recipient has editing privileges. This relatively simple deployment can make it dramatically easier to distribute sensitive information throughout an organization with a much lower risk of information getting into the wrong hands. For example, an organization can arm its salespeople with a rights-protected confidential document, helping to ensure they do not unintentionally share “internal only”

    information with customers or partners. RMS helps prevent a well-meaning salesperson from providing an internal document to a customer and potentially revealing confidential information. Instead, the salesperson will have the option of contacting the author to request additional rights to share the document, as Figure 3 shows. This gives authors complete control of who can view their document, as well as the opportunity to direct the salesperson to a document specifically written for external consumption.

Figure 3. If the recipient wants to print or copy the document, they need permission.

    In this example, only the users creating the documents require Microsoft Office 2003 Professional Edition. If the files are stored on a Web server or a file server, the server does not need to know that the content is rights-protected, and the server does not require any additional software. Naturally, the server will not be able to index the document because the contents of the document are encrypted. The end users require only Internet Explorer with RMA, the rights management

    Introducing Rights-Managed HTML 8

    ??Microsoft Windows Server 2003 White Paper

    client, and a connection to the RMS server. Distributing sensitive documents in this manner significantly reduces the likelihood that confidential information will be leaked outside of the company and minimizes up-front costs.

    Another useful aspect of the Windows rights management technology in this scenario is the ability to manage document expiration. Office 2003 allows the document author to specify an expiration date for the rights-protected document. After the expiration date, users can no longer view the documenteven if they have previously viewed it and stored a Use License on their computers.

    This removes any concerns about the document being viewed after its intended period of usefulness.

    Internal Legacy Web Applications

    Most organizations’ intranets contain a great deal of sensitive information. Modern organizations rely on their intranet to distribute many types of confidential information, including:

    ? Employee names and telephone numbers

    ? Internal product documentation

    ? Financial information

    ? Web-usage reports

    ? Strategic road maps

    ? Payroll and accounting reports

    Organizations tend to think of these portions of their intranet as secure when access is limited to internal networks and users are forced to provide a username and password to access the intranet Web site. A few organizations take it a step further and require two-factor authentication using smart cards or biometrics. However, none of these security mechanisms provides information protection, because nothing has existed to stop an authorized user from copying, printing, or otherwise redistributing the confidential information.

    Today, developers can use the RMH SDK to build an internal Web portal that adds information rights-protection to existing Web applications. As Figure 4 illustrates, a rights-protected portal could translate the HTML responses from a legacy application into RMH on the fly according to specified business rules.

    Introducing Rights-Managed HTML 9

    ??Microsoft Windows Server 2003 White Paper

Figure 4. RMH can be used to add information protection to legacy Web applications.

    The process of encrypting and decrypting the Web page and contacting the RMS server twice

    can cause a small delay in opening the file. More computing power is required for each protected

    page served, and the protected pages will take longer to appear within Internet Explorer. For

    these reasons, organizations should use RMH to protect only the sensitive information that they

    would not want an authorized user to intentionally or accidentally redistribute.

    External Web Applications

    RMH is useful for external Web applications, also. One of the reasons so few businesses share

    confidential information with partners is that it is almost impossible to control the information once

    it has been sent to the partner. Though an organization may own the copyright to the content, and

    grant only specific partners the legal right to view the content, there is currently no technological

    limitation to stop those partners from sharing the content. RMH provides technical controls to

    support an organization’s legal rights as a copyright owner. In order for partners to view the rights-protected information, they will need to download and install RMA, the rights management

    client, and be trusted into the author’s RMS server environment. Figure 5 illustrates delivery of rights-protected information using an Extranet.

    Introducing Rights-Managed HTML 10

Report this document

For any questions or suggestions please email